Loading init/Kconfig +0 −1 Original line number Diff line number Diff line Loading @@ -964,7 +964,6 @@ config UIDGID_CONVERTED # Security modules depends on SECURITY_TOMOYO = n depends on SECURITY_APPARMOR = n config UIDGID_STRICT_TYPE_CHECKS bool "Require conversions between uid/gids and their internal representation" Loading security/apparmor/domain.c +2 −2 Original line number Diff line number Diff line Loading @@ -721,7 +721,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) if (!permtest) error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, target, 0, info, error); target, GLOBAL_ROOT_UID, info, error); out: aa_put_profile(hat); Loading Loading @@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, audit: if (!permtest) error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, 0, info, error); name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_profile(target); Loading security/apparmor/file.c +7 −5 Original line number Diff line number Diff line Loading @@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask) static void file_audit_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; uid_t fsuid = current_fsuid(); kuid_t fsuid = current_fsuid(); if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { audit_log_format(ab, " requested_mask="); Loading @@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) audit_file_mask(ab, sa->aad->fs.denied); } if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { audit_log_format(ab, " fsuid=%d", fsuid); audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); audit_log_format(ab, " fsuid=%d", from_kuid(&init_user_ns, fsuid)); audit_log_format(ab, " ouid=%d", from_kuid(&init_user_ns, sa->aad->fs.ouid)); } if (sa->aad->fs.target) { Loading @@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) */ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, gfp_t gfp, int op, u32 request, const char *name, const char *target, uid_t ouid, const char *info, int error) const char *target, kuid_t ouid, const char *info, int error) { int type = AUDIT_APPARMOR_AUTO; struct common_audit_data sa; Loading Loading @@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, */ perms.kill = 0; if (current_fsuid() == cond->uid) { if (uid_eq(current_fsuid(), cond->uid)) { perms.allow = map_old_perms(dfa_user_allow(dfa, state)); perms.audit = map_old_perms(dfa_user_audit(dfa, state)); perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); Loading security/apparmor/include/audit.h +1 −1 Original line number Diff line number Diff line Loading @@ -125,7 +125,7 @@ struct apparmor_audit_data { const char *target; u32 request; u32 denied; uid_t ouid; kuid_t ouid; } fs; }; }; Loading security/apparmor/include/file.h +2 −2 Original line number Diff line number Diff line Loading @@ -71,7 +71,7 @@ struct path; /* need to make conditional which ones are being set */ struct path_cond { uid_t uid; kuid_t uid; umode_t mode; }; Loading Loading @@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask) int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, gfp_t gfp, int op, u32 request, const char *name, const char *target, uid_t ouid, const char *info, int error); const char *target, kuid_t ouid, const char *info, int error); /** * struct aa_file_rules - components used for file rule permissions Loading Loading
init/Kconfig +0 −1 Original line number Diff line number Diff line Loading @@ -964,7 +964,6 @@ config UIDGID_CONVERTED # Security modules depends on SECURITY_TOMOYO = n depends on SECURITY_APPARMOR = n config UIDGID_STRICT_TYPE_CHECKS bool "Require conversions between uid/gids and their internal representation" Loading
security/apparmor/domain.c +2 −2 Original line number Diff line number Diff line Loading @@ -721,7 +721,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) if (!permtest) error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, target, 0, info, error); target, GLOBAL_ROOT_UID, info, error); out: aa_put_profile(hat); Loading Loading @@ -848,7 +848,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, audit: if (!permtest) error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, hname, 0, info, error); name, hname, GLOBAL_ROOT_UID, info, error); aa_put_namespace(ns); aa_put_profile(target); Loading
security/apparmor/file.c +7 −5 Original line number Diff line number Diff line Loading @@ -65,7 +65,7 @@ static void audit_file_mask(struct audit_buffer *ab, u32 mask) static void file_audit_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; uid_t fsuid = current_fsuid(); kuid_t fsuid = current_fsuid(); if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { audit_log_format(ab, " requested_mask="); Loading @@ -76,8 +76,10 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) audit_file_mask(ab, sa->aad->fs.denied); } if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { audit_log_format(ab, " fsuid=%d", fsuid); audit_log_format(ab, " ouid=%d", sa->aad->fs.ouid); audit_log_format(ab, " fsuid=%d", from_kuid(&init_user_ns, fsuid)); audit_log_format(ab, " ouid=%d", from_kuid(&init_user_ns, sa->aad->fs.ouid)); } if (sa->aad->fs.target) { Loading @@ -103,7 +105,7 @@ static void file_audit_cb(struct audit_buffer *ab, void *va) */ int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, gfp_t gfp, int op, u32 request, const char *name, const char *target, uid_t ouid, const char *info, int error) const char *target, kuid_t ouid, const char *info, int error) { int type = AUDIT_APPARMOR_AUTO; struct common_audit_data sa; Loading Loading @@ -201,7 +203,7 @@ static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, */ perms.kill = 0; if (current_fsuid() == cond->uid) { if (uid_eq(current_fsuid(), cond->uid)) { perms.allow = map_old_perms(dfa_user_allow(dfa, state)); perms.audit = map_old_perms(dfa_user_audit(dfa, state)); perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); Loading
security/apparmor/include/audit.h +1 −1 Original line number Diff line number Diff line Loading @@ -125,7 +125,7 @@ struct apparmor_audit_data { const char *target; u32 request; u32 denied; uid_t ouid; kuid_t ouid; } fs; }; }; Loading
security/apparmor/include/file.h +2 −2 Original line number Diff line number Diff line Loading @@ -71,7 +71,7 @@ struct path; /* need to make conditional which ones are being set */ struct path_cond { uid_t uid; kuid_t uid; umode_t mode; }; Loading Loading @@ -146,7 +146,7 @@ static inline u16 dfa_map_xindex(u16 mask) int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, gfp_t gfp, int op, u32 request, const char *name, const char *target, uid_t ouid, const char *info, int error); const char *target, kuid_t ouid, const char *info, int error); /** * struct aa_file_rules - components used for file rule permissions Loading